summaryrefslogtreecommitdiff
path: root/modules/pam_selinux/pam_selinux.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_selinux/pam_selinux.8')
-rw-r--r--modules/pam_selinux/pam_selinux.863
1 files changed, 63 insertions, 0 deletions
diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8
new file mode 100644
index 00000000..4ccec58c
--- /dev/null
+++ b/modules/pam_selinux/pam_selinux.8
@@ -0,0 +1,63 @@
+.TH pam_selinux 8 2003/08/26 "Red Hat Linux" "System Administrator's Manual"
+.SH NAME
+pam_selinux \- set the default security context after login via PAM.
+.SH SYNOPSIS
+.B session optional /lib/security/pam_selinux.so
+.br
+
+.SH DESCRIPTION
+In a nutshell, pam_selinux sets up the default security context for the next execed
+shell.
+
+When an application opens a session using pam_selinux, the shell that gets
+executed will be run in the default security context, or if the user chooses
+and the pam file allows the selected security context. Also the controlling
+tty will have it's security context modified to match the users.
+
+Adding pam_selinux into a pam file could cause other pam modules to change
+their behavior if the exec another application. The close and open option help
+mitigate this problem. close option will only cause the close portion of the
+pam_selinux to execute, and open will only cause the open portion to run. You
+can add pam_selinux to the config file twice. Add the pam_selinux close as the
+'first' session entry and open as the 'last' session entry. This way when pam
+executes the open pass through the modules, pam_selinux open_session will
+happen last. When pam executes the close pass through the modules pam_selinux
+close_session will happen first.
+
+.SH ARGUMENTS
+.IP close
+Only execute the close_session portion of the module.
+.IP debug
+turns on debugging via \fBsyslog(3)\fR.
+.IP multiple
+tells pam_selinux.so to allow the user to select the security context they will
+login with, if the user has more than one role.
+.IP open
+Only execute the open_session portion of the module.
+.IP nottys
+Do not try to setup the ttys security context.
+.IP verbose
+attempt to inform the user when security context is set.
+
+.SH EXAMPLE
+\fB/etc/pam.d/some-login-program\fP:
+.br
+auth required /lib/security/pam_unix.so
+.br
+session required /lib/security/pam_permit.so
+session optional /lib/security/pam_selinux.so
+.br
+
+.SH CAVEATS
+Setting the following line will cause the login to fail
+auth sufficient /lib/security/pam_selinux.so verbose
+
+
+.SH SEE ALSO
+pam_selinux_check(8)
+
+.SH BUGS
+Let's hope not, but if you find any, please email the author.
+
+.SH AUTHOR
+Dan Walsh <dwalsh@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 07:23:21 +0000